The new Money Laundering, Terrorist Financing and Transfer of Funds Regulations came out in June 2017, so may no longer seem new. But the CCAB's response revised AML guidance for the accountancy sector to comply with the regulations was finally approved by HMRC as recently as March 2018.

The new guidance is a step forward. It is easier to read, more concise (although still long) and more practical, with more illustrative examples. The key differences in MLR17, as it has already become known, fall under seven headings:

  • Whole firm risk assessments
  • Internal controls
  • Policies, controls and procedures
  • Client due diligence
  • Simplified due diligence
  • Enhanced due diligence
  • Politically expose persons

Let's look at them in turn.

Whole firm risk assessments

The first change is that practices must start by completing a whole firm risk assessment, an overall review of where risk might come from. This will of course vary from practice to practice. Factors might include the type of customers, the geography and the type of services provided. There is further guidance and examples on the CCAB bodies' websites, but the key is that it will differ for different types and sizes of practice.

Internal controls

Firms must now appoint a Money Laundering Compliance Principal (MLCP) and that person must be a member of the senior management team. Larger firms must also appoint a nominated officer who is responsible for deciding whether a suspicious activity should be reported to the NCA. The only exception from all this is sole practitioners with no employees, who are exempt. The MLCP's scope now extends to staff screening. They need to consider the skills, knowledge and integrity of relevant employees. The focus might for example extend to recruitment, appraisals and training. Finally, there is a requirement for an independent audit function that will carry out independent reviews. There is a still some debate about what "independent" means here. It probably isn't external for larger firms but for smaller ones it may need to be. This independent monitoring must be reported to senior management.

Policies, controls and procedures

Documented policies, controls and procedures must be approved by senior management. There has always been encouragement to do this but now it is mandatory. A requirement to run staff training is also not new, but the greater need to monitor it is. Perhaps only relevant for larger practices, there is also now a requirement for group-wide policies to cover overseas subsidiaries and branches.

Client Due Diligence

Client due diligence is not, of course, new, but the new regulations give it a new emphasis and come with some new rules. It is now required for one-off transactions such as company formation services, or single-piece tax advice, as well as of a person purporting to act on behalf of a client.

Simplified Due Diligence

Client due diligence is now embedded into the risk-based approach. The good news is that if a list of low-risk factors is satisfied, you can now complete "simplified client due diligence". That does mean that you can say "I've known this client for 20 years and been to their house - they must be low risk." More likely for example that this is a person that operates already in a regulated sector.

Enhanced Due Diligence

Of course, the flip side of this is that where there is higher risk, you must complete "enhanced due diligence". So, if your prospective client has activities in a high-risk country, or presents a high risk of terrorist financing, or they are a politically exposed person, you will need to go through a more rigorous process.

Politically exposed persons

The new regulations require you to ascertain whether the person is a politically exposed person (PEP), the spouse of a PEP, a close family member or a close associate. If they are, that doesn't mean you can't act for them, but you must jump through some additional hoops you'll need senior management approval for the relationship, to take adequate measures to establish the source of funds and wealth, and to perform enhanced monitoring of the relationship.

So that's it. A new regime but not a massive change of direction. In many ways a more nuanced scheme where actions are appropriate to the overall risk in a situation. Get the Whole Firm Risk Assessment right and the rest should be straight forward. Don't get too excited about the simplified due diligence idea it won't be appropriate for most situations. And make sure you spot the PEPs and their close associates and family members!